IN THE CLAIMS: 



A complete listing of the claims is set forth below, renumbered according to the 
Examiner's amendment that corrected the previously submitted claims, which included two 
claims numbered 34. Please amend the claims as follows: 

1 . (Currently Amended) A security system for a computer system, comprising: 
a plurality of assets within the computer system; 

a plurality of members registered to use the computer system; 

a plurality of groups, each group comprising at least two of the plurality of members: 

a plurality of roles defining user rights to access one or more of the plurality of 
assets, each member and each group associated with at least one role; 

a plurality of access control lists each corresponding to an asset and defining at 
least one privilege for accessing the asset corresponding to the privilege, according to a 
member's role; and 

at least one domain being an administrative and access control boundary around a 
plurality of security entities, the security entities of the at least one domain comprising: 

a subset of the plurality of assets and the access control lists corresponding 
to the assets in the subset of the assets; 

a subset of the plurality of roles; and 
a subset of the members; 
each privilege defined in the access control lists of the at least one domain 
identifying one or more roles in the domain that may access the asset corresponding to 
the privilege; 

the security system operable to authorize a particular member to perform a 
requested operation with respect to a requested asset within the domain when the 
particular member is associated with a role, in the domain, corresponding to a privilege for 
the requested asset. 

2. (Currently Amended) The system of Claim 1 , wherein: 

the privileges for each asset include operations that can be performed on that 
asset; and 
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the security system is operable to authorize access to the requested asset when a 
requested access by the particular member includes an operation to be performed from 
the access control list and the particular member is associated with a role, in the domain, 
corresponding to a privilege for the requested asset. 

3. (Previously Presented) The system of Claim 1 , wherein the at least one 
privilege includes one or more of: 
a read privilege; 
a modify privilege; and 
a delete privilege. 

4-5. (Cancelled) 

6. (Original) The system of Claim 1 , wherein the system includes at least two 
domains. 

7. (Currently Amended) A method for providing secure access to a plurality of 
assets within a computer system, comprising: 

registering a plurality of members to use the computer system; 
establishing a plurality of groups, each group comprising at least two of the plurality 
of members: 

providing a plurality of roles defining user rights to access one or more of the 
plurality of assets, each member and each group associated with at least one role; 

providing a plurality of access control lists each corresponding to an asset and 
defining at least one privilege for accessing the asset corresponding to the privilege, 
according to a member's role; 

providing at least one domain defining an administrative and access control 
boundary around a plurality of security entities, the security entities of the at least one 
domain comprising: 

a subset of the plurality of assets and the access control lists corresponding 
to the assets in the subset of the assets; 

a subset of the plurality of roles; and 
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a subset of the members; 
each privilege defined in the access control lists of the at least one domain 
identifying one or more roles in the domain that may access the asset corresponding to 
the privilege; 

when a particular member attempts to access a requested asset within the at least 
one domain, determining at least one role assigned to the particular member; 

comparing rights corresponding to the role assigned to the particular member to the 
privileges defined in the access control list corresponding to the particular asset; and 

if the attempted access is authorized for the role assigned to the particular member, 
allowing the particular member to access the requested asset. 

8. (Original) The method of Claim 7, wherein a requested access is one from 
the types read, modify, or delete. 

9. (Previously Presented) The method of Claim 7, further comprising, prior to 
the particular member attempting to access the requested asset: 

authenticating the particular member's identification; and 
assigning at least one role to the particular member. 

1 0. (Previously Presented) The system of Claim 6, wherein the plurality of 
roles comprise one or more of: 

a domain role defining user rights within a single domain; and 
a universal role defining user rights across a plurality of domains. 

1 1 . (Previously Presented) The system of Claim 6, wherein a first domain and 
a second domain are joined by a unidirectional trust relationship, allowing privileges 
associated with the first domain's assets to be delegated to the second domain. 

12. (Previously Presented) The system of Claim 6, wherein a first domain and 
a second domain are joined by a bidirectional trust relationship, allowing: 

privileges associated with the first domain's assets to be delegated to the second 
domain; and 
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privileges associated with the second domain's assets to be delegated to the first 
domain. 

1 3. (Previously Presented) The system of Claim 6, wherein a first domain 
owns a second domain such that the first domain can create and destroy the second 
domain. 

14. (Previously Presented) The system of Claim 1 , wherein the plurality of 
roles are assigned to a plurality of user groups, each user group comprising one or more 
of the plurality of members. 

1 5. (Previously Presented) The system of Claim 1 , wherein each of the 
plurality of access control lists comprises a plurality of access control entries, each 
comprising: 

a domain identifier; 
a role identifier; and 
one or more privileges. 

16. (Previously Presented) The system of Claim 1 , wherein: 
the system comprises at least two domains; and 

the system is further operable to grant the particular member, which is assigned a 
particular domain/role combination, ownership of a particular operation on a particular 
access control list, ownership over of the particular access control list allowing the 
particular member to grant rights to perform the operation to one or more members in a 
different domain than the particular member that are assigned the same role as the 
particular member. 

1 7. (Previously Presented) The system of Claim 1 , wherein: 

one or more of the plurality of assets each comprise a registered asset, a registered 
asset being a resource that is protected by the security system; and 

each registered asset is classified according to a corresponding asset type, which 
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determines how its corresponding registered assets are identified and what operations 
may be performed on its corresponding registered assets. 

1 8. (Previously Presented) The system of Claim 1 , wherein the security 
system is operable to authorize access to the requested asset by: 

receiving from the particular member a request to access the requested asset, the 
request comprising: 

an identification of the requested asset; 

an identification of an operation to perform with respect to the requested 
asset; and 

an identification of the domain and role assigned to the particular member; 
determining, based at least in part on the access control list corresponding to the 
requested asset and the domain and role assigned to the particular member, whether the 
particular member may perform the identified operation with respect to the requested 
asset; and 

initiating an appropriate action based on the authorization determination. 

19. (Previously Presented) The system of Claim 1 , wherein the security 
system is operable to: 

receive from the particular member a request comprising: 

one or more query criteria specifying one or more assets; and 
an identification of the domain and role assigned to the particular member; 
add appropriate security-related criteria to the request; 

execute a query to determine one or more assets satisfying the query criteria to 
which the particular member has read access; and 

initiate an appropriate action based on results of the executed query. 

20. (Previously Presented) The system of Claim 1 , further operable to: 
receive a request to define a new asset type, the request comprising one or more of 

a name of the new asset type, a description of the new asset type; and a format of the new 
asset type; 

enable determination of one or more operations that should apply to the new asset 
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type; and 

enable association of the determined one or more operations with the new asset 

type. 

21 . (Previously Presented) The system of Claim 1 , further operable to, prior to 
the particular member attempting to access the requested asset: 

authenticate the particular member's identification; and 
assign at least one role to the particular member. 

22. (Previously Presented) The method of Claim 7, further comprising 
providing at least two domains. 

23. (Previously Presented) The method of Claim 22, wherein the plurality of 
roles comprise one or more of: 

a domain role defining user rights within a single domain; and 
a universal role defining user rights across a plurality of domains. 

24. (Previously Presented) The method of Claim 22, wherein a first domain 
and a second domain are joined by a unidirectional trust relationship, allowing privileges 
associated with the first domain's assets to be delegated to the second domain. 

25. (Previously Presented) The method of Claim 22, wherein a first domain 
and a second domain are joined by a bidirectional trust relationship, allowing: 

privileges associated with the first domain's assets to be delegated to the second 
domain; and 

privileges associated with the second domain's assets to be delegated to the first 
domain. 

26. (Previously Presented) The method of Claim 22, wherein a first domain 
owns a second domain such that the first domain can create and destroy the second 
domain. 
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27. (Previously Presented) The method of Claim 7, wherein the plurality of 
roles are assigned to a plurality of user groups, each user group comprising one or more 
of the plurality of members. 

28. (Previously Presented) The method of Claim 7, wherein each of the 
plurality of access control lists comprises a plurality of access control entries, each 
comprising: 

a domain identifier; 
a role identifier; and 
one or more privileges. 

29. (Previously Presented) The method of Claim 7, further comprising: 
providing at least two domains; and 

granting the particular member, which is assigned a particular domain/role 
combination, ownership of a particular operation on a particular access control list, 
ownership over of the particular access control list allowing the particular member to grant 
rights to perform the operation to one or more members in a different domain than the 
particular member that are assigned the same role as the particular member. 

30. (Previously Presented) The method of Claim 7, wherein: 

one or more of the plurality of assets each comprise a registered asset, a registered 
asset being a resource for which secure access is provided; and 

each registered asset is classified according to a corresponding asset type, which 
determines how its corresponding registered assets are identified and what operations 
may be performed on its corresponding registered assets. 

31 . (Previously Presented) The method of Claim 7, further comprising 
authorizing access to the requested asset by: 

receiving from the particular member a request to access the requested asset, the 
request comprising: 

an identification of the requested asset; 

an identification of an operation to perform with respect to the requested 
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asset; and 

an identification of the domain and role assigned to the particular member; 
determining, based at least in part on the access control list corresponding to the 
requested asset and the domain and role assigned to the particular member, whether the 
particular member may perform the identified operation with respect to the requested 
asset; and 

initiating an appropriate action based on the authorization determination. 

32. (Previously Presented) The method of Claim 7, further comprising: 
receiving from the particular member a request comprising: 

one or more query criteria specifying one or more assets; and 
an identification of the domain and role assigned to the particular member; 
adding appropriate security-related criteria to the request; 

executing a query to determine one or more assets satisfying the query criteria to 
which the particular member has read access; and 

initiating an appropriate action based on results of the executed query. 

33. (Previously Presented) The method of Claim 7, further comprising: 
receiving a request to define a new asset type, the request comprising one or more 

of a name of the new asset type, a description of the new asset type; and a format of the 
new asset type; 

enabling determination of one or more operations that should apply to the new 
asset type; and 

enabling association of the determined one or more operations with the new asset 

type. 

34. (Currently Amended) Software for providing secure access to a plurality of 
assets within a computer system, the software embodied in computer-readable media and 
when executed using one or more computer systems operable to: 

register a plurality of members to use the computer system; 
establishing a plurality of groups, each group comprising at least two of the plurality 
of members: 

Response to Office Action 
Attorney Docket No. 020431.0971 
Serial No. 09/800,168 
Page 9 



provide a plurality of roles defining user rights to access one or more of the plurality 
of assets, each member and each group associated with at least one role; 

provide a plurality of access control lists each corresponding to an asset and 
defining at least one privilege for accessing the asset corresponding to the privilege, 
according to a member's role; 

provide at least one domain defining an administrative and access control boundary 
around a plurality of security entities, the security entities of the at least one domain 
comprising: 

a subset of the plurality of assets and the access control lists corresponding 
to the assets in the subset of the assets; 

a subset of the plurality of roles; and 

a subset of the members; 
each privilege defined in the access control lists of the at least one domain 
identifying one or more roles in the domain that may access the asset corresponding to 
the privilege; 

when a particular member attempts to access a requested asset within the at least 
one domain, determine at least one role assigned to the particular member; 

compare rights corresponding to the role assigned to the particular member to the 
privileges defined in the access control list corresponding to the particular asset; and 

if the attempted access is authorized for the role assigned to the particular member, 
allow the particular member to access the requested asset. 

35. (Previously Presented) The software of Claim 34, wherein a requested 
access is one from the types read, modify, or delete. 

36. (Previously Presented) The software of Claim 34, further operable to, prior 
to the particular member attempting to access the requested asset: 

authenticate the particular member's identification; and 
assign at least one role to the particular member. 

37. (Previously Presented) The software of Claim 34, operable to provide at 
least two domains. 
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38. (Previously Presented) The software of Claim [[36,]] 3L wherein the 
plurality of roles comprise one or more of: 

a domain role defining user rights within a single domain; and 
a universal role defining user rights across a plurality of domains. 

39. (Previously Presented) The software of Claim [[36,]] 37,wherein a first 
domain and a second domain are joined by a unidirectional trust relationship, allowing 
privileges associated with the first domain's assets to be delegated to the second domain. 

40. (Previously Presented) The software of Claim [[36,]] 3L wherein a first 
domain and a second domain are joined by a bidirectional trust relationship, allowing: 

privileges associated with the first domain's assets to be delegated to the second 
domain; and 

privileges associated with the second domain's assets to be delegated to the first 
domain. 

41 . (Previously Presented) The software of Claim [[36,]] 37, wherein a first 
domain owns a second domain such that the first domain can create and destroy the 
second domain. 

42. (Previously Presented) The software of Claim 34, wherein the plurality of 
roles are assigned to a plurality of user groups, each user group comprising one or more 
of the plurality of members. 

43. (Previously Presented) The software of Claim 34, wherein each of the 
plurality of access control lists comprises a plurality of access control entries, each 
comprising: 

a domain identifier; 
a role identifier; and 
one or more privileges. 
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44. (Previously Presented) The software of Claim 34, further operable to: 
provide at least two domains; and 

grant the particular member, which is assigned a particular domain/role 
combination, ownership of a particular operation on a particular access control list, 
ownership over of the particular access control list allowing the particular member to grant 
rights to perform the operation to one or more members in a different domain than the 
particular member that are assigned the same role as the particular member. 

45. (Previously Presented) The software of Claim 34, wherein: 

one or more of the plurality of assets each comprise a registered asset, a registered 
asset being a resource for which secure access is provided; and 

each registered asset is classified according to a corresponding asset type, which 
determines how its corresponding registered assets are identified and what operations 
may be performed on its corresponding registered assets. 

46. (Previously Presented) The software of Claim 34, further operable to 
authorize access to the requested asset by: 

receiving from the particular member a request to access the requested asset, the 
request comprising: 

an identification of the requested asset; 

an identification of an operation to perform with respect to the requested 
asset; and 

an identification of the domain and role assigned to the particular member; 
determining, based at least in part on the access control list corresponding to the 
requested asset and the domain and role assigned to the particular member, whether the 
particular member may perform the identified operation with respect to the requested 
asset; and 

initiating an appropriate action based on the authorization determination. 

47. (Previously Presented) The software of Claim 34, further operable to: 
receive from the particular member a request comprising: 

one or more query criteria specifying one or more assets; and 
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an identification of the domain and role assigned to the particular member; 
add appropriate security-related criteria to the request; 

execute a query to determine one or more assets satisfying the query criteria to 
which the particular member has read access; and 

initiate an appropriate action based on results of the executed query. 

48. (Previously Presented) The software of Claim 34, further operable to: 
receive a request to define a new asset type, the request comprising one or more of 

a name of the new asset type, a description of the new asset type; and a format of the new 

asset type; 

enable determination of one or more operations that should apply to the new asset 
type; and 

enable association of the determined one or more operations with the new asset 

type. 
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